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The application/cms Media Type 
Abstract 


This document registers the application/cms media type for use with 
the corresponding CMS (Cryptographic Message Syntax) content types. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Not all documents 


approved by the IESG are a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 
and how to provide feedback on it may be obtained at 
http: //www.rfc-editor.org/info/rfc7193. 


Copyright Notice 


Copyright (c) 2014 IETF Trust and the persons identified as the 
document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust’s Legal 
Provisions Relating to IETF Documents 
(http://trustee.ietf.org/license-info) in effect on the date of 
publication of this document. Please review these documents 
carefully, as they describe your rights and restrictions with respect 
to this document. Code Components extracted from this document must 
include Simplified BSD License text as described in Section 4.e of 
the Trust Legal Provisions and are provided without warranty as 
described in the Simplified BSD License. 
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Les 


Introduction 


[RFC5751] registered the application/pkc7-mime media type. That 
document defined five optional smime-type parameters. The smime-type 
parameter originally conveyed details about the security applied to 
the data content type, indicating whether it was signed or enveloped, 
as well as the name of the data content; it was later expanded to 
indicate whether the data content is compressed and whether the data 
content contained a certs-only message. This document does not 
affect those registrations as this document places no requirements on 
S/MIME (Secure Multipurpose Internet Mail Extensions) agents. 


The registration done by the S/MIME documents was done assuming that 
there would be a MIME (Multipurpose Internet Mail Extensions) 
wrapping layer around each of the different enveloping contents; 
thus, there was no need to include more than one item in each smime- 
type. This is no longer the case with some of the more advanced 
enveloping types. Some protocols such as the CMC (Certificate 
Management over Cryptographic Message Syntax) [RFC5273] have defined 
additional S/MIME types. New protocols that intend to wrap MIME 
content should continue to define a smime-type string; however, new 
protocols that intend to wrap non-MIME types should use this 
mechanism instead. 


CMS (Cryptographic Message Syntax) [RFC5652] associates a content 
type identifier (OID) with specific content; CMS content types have 
been widely used to define contents that can be enveloped using other 
CMS content types and to define enveloping content types some of 
which provide security services. CMS protecting content types, those 
that provide security services, include: Signed-Data [RFC5652], 
Enveloped-Data [RFC5652], Digested-Data [RFC5652], Encrypted-Data 
[RFC5652], Authenticated-Data [RFC5652], Authenticated-Enveloped-Data 
[RFC5083], and Encrypted Key Package [RFC6032]. CMS non-protecting 
content types, those that provide no security services but 
encapsulate other CMS content types, include: Content Information 
[RFC5652], Compressed Data [RFC3274], Content Collection [RFC4073], 
and Content With Attributes [RFC4073]. Then, there are the innermost 
content types that include: Data [RFC5652], Asymmetric Key Package 
[RFC5958], Symmetric Key Package [RFC6031], Firmware Package 
[RFC4108], Firmware Package Load Receipt [RFC4108], Firmware Package 
Load Error [RFC4108], Trust Anchor List [RFC5914], TAMP Status Query, 
TAMP Status Response, TAMP Update, TAMP Update Confirm, TAMP Apex 
Update, TAMP Apex Update Confirmation, TAMP Community Update, TAMP 
Community Update Confirm, TAMP Sequence Adjust, TAMP Sequence Adjust 
Confirmation, TAMP Error [RFC5934], Key Package Error, and Key 
Package Receipt [RFC7191]. 


Turner, et al. Informational [Page 2] 


RFC 7193 application/cms Media Type April 2014 


To support conveying CMS content types, this document defines a media 
type and parameters that indicate the enveloping and embedded CMS 
content types. 


New CMS content types should be affirmative in defining the string 
that identifies the new content type and should additionally define 
if the new content type is expected to appear in the 
encapsulatedContent or innerContent parameter. 


1.1. Requirements Terminology 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in [RFC2119]. 


2. CMS Media Type Registration Applications 


This section provides the media type registration application for the 
application/cms media type (see [RFC6838], Section 5.6). 


Type name: application 

Subtype name: cms 

Required parameters: None. 

Optional parameters: 
encapsulatingContent=y; where y is one or more CMS ECT 
(Encapsulating Content Type) identifiers; multiple values are 
encapsulated in quotes and separated by a folding-whitespace, a 
comma, and folding-whitespace. ECT values are based on content 


types found in [RFC3274], [RFC4073], [RFC5083], [RFC5652], and 
[RFC6032]. This list can later be extended; see Section 4. 


authData 
compressedData 
contentCollection 
contentiInfo 
contentWithAttrs 
authEnvelopedData 
encryptedKeyPkg 
digestData 
encryptedData 
envelopedData 
signedData 
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innerContent=x; where x is one or more CMS ICT (Inner Content Type) 


ident 
by a 


ifiers; multiple values encapsulated in quotes and are separated 
folding-whitespace, a comma, and folding-whitespace. ICT values 


are based on content types found in [RFC4108], [RFC5914], [RFC5934], 


[RFC5 


958], [RFC6031], and [RFC7191]. This list can later be 


extended; see Section 4. 


firmwarePackage 
firmwareLoadReceipt 
firmwareLoadError 
aKeyPackage 

sKeyPackage 
trustAnchorList 
TAMP-statusQuery 
TAMP-statusResponse 
TAMP-update 
TAMP-updateConfirm 
TAMP-apexUpdate 
TAMP-apexUpdateConfirm 
TAMP-communityUpdate 
TAMP-communityUpdateConfirm 
TAMP-seqNumAdjust 
TAMP-seqNumAdjustConfirm 
TAMP-error 
keyPackageReceipt 
keyPackageError 


The optional parameters are case sensitive. 


Encoding considerations: 


Binary. 


[RFC5652] requires that the outermost encapsulation be 
ContentiInfo. 
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Security considerations: 


The following security considerations apply: 


REC | CMS Protecting Content Type and Algorithms 
see aed ad een te EAS 4+---------- O O O O O O O O O O O O O O O O OO O OO O O O O OOO OOO 
[REC3370] | signedData, envelopedData, 
[RFC5652] | digestedData, encryptedData, and 
[RFC5753] authData 
[RFC5754] 
SSS SSS oe + SSeS SS SS SS SS eS A eS 
[RFC5958] | aKeyPackage 
[RFC5959] | 
[RFC6162] | 
PA a + SSS SS Se eS O E E E E E E 
[RFC6031] sKeyPackage 
[RFC6160] 
Sete oe A + oe a as ed a ee ei ee ee A 
[RFC6032] | encryptedKeyPkg 
[RFC6033] | 
[RFC6161] | 
Set Se + Se Se SS SS a ee a ee 
[RFC5914] | trustAnchorList 
EE ee te + A ee ee AA ee ee ee A A 
[RFC3274] | compressedData 
SSS SSeS SS eee + SSS SS Se SSS SS SS SS a Se SS O i SS 
[RFC5083] | authEnvelopedData 
[RFC5084] | 
Sa A ES + A LS eS ee A A ee A A 
[RFC4073] | contentCollection and 
| contentWithAttrs 
eee ad eel aed ae a o ie Pe + a se Fe A a nd IN at a A a td A A eet 
[RFC4108] | firmwarePackage, 
firmwareLoadReceipt, and 
firmwareLoadError 
A Oe SR ee. +- 
[RFC5934] | TAMP-statusQuery, TAMP-statusResponse, 
| TAMP-update, TAMP-updateConfirm, 
| TAMP-apexUpdate, 
| TAMP-apexUpdateConfirm, 
TAMP-communityUpdate, 
| TAMP-communityUpdateConfirm, 
| TAMP-seqNumAdjust, 
| TAMP-seqNumAdjustConfirm, and 
| TAMP-error 
HE AH — — — O O O O O O O O O O O O OOO OOO O OO O O O O OO O OS 
[RFC7191] |keyPackageReceipt and keyPackageError 
SSS SS Se AH —— == — -— - - O O O O O O O O O O OOO O O O O O O O O O O O O O OS 
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In some circumstances, significant information can be leaked by 
disclosing what the innermost ASN.1 structure is. In these cases, 
it is acceptable to disclose the wrappers without disclosing the 
inner content type. 


ASN.1 encoding rules (e.g., DER and BER) have a type-length-value 
structure, and it is easy to construct malicious content with 
invalid length fields that can cause buffer overrun conditions. 
ASN.1 encoding rules allows for arbitrary levels of nesting, which 
may make it possible to construct malicious content that will 
cause a stack overflow. Interpreters of ASN.1 structures should 
be aware of these issues and should take appropriate measures to 
guard against buffer overflows and stack overruns in particular 
and malicious content in general. 


Interoperability considerations: 
See [RFC3274], [RFC4073], [RFC4108], [RFC5083], [RFC5652], 
[RFC5914], [RFC5934], [RFC5958], [RFC6031], [RFC6032], and 
[RFC7191]. 
In all cases, CMS content types are encapsulated within 
ContentInfo structures [RFC5652]; that is the outermost enveloping 
structure is ContentInfo. 
CMS [RFC5652] defines slightly different processing rules for 
SignedData than does PKCS #7 [RFC2315]. This media type employs 
the CMS processing rules. 
The Content-Type header field of all application/cms objects 
SHOULD include the optional "encapsulatingContent" and 


"innerContent" parameters. 


The Content-Disposition header field [RFC4021] can also be 
included along with Content-Type's optional name parameter. 


Published specification: This specification. 
Applications that use this media type: 


Applications that support CMS (Cryptographic Message Syntax) 
content types. 


Fragment identifier considerations: N/A 
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Additional information: 
Magic number(s): None 
File extension(s): .cmsc 
Macintosh File Type Code(s): 
Person & email address to contact for further information: 
Sean Turner <turners@ieca.com> 
Intended usage: COMMON 
Restrictions on usage: none 


Author: Sean Turner <turners@ieca.com> 


Change controller: The IESG <iesg@ietf.org> 
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3. Example 
The following is an example encrypted status response message: 


MIME-Version: 1.0 

Content-Type: application/cms; encapsulatingContent=encryptedData; 
innerContent=TAMP-statusResponse; name=status.cmsc 

Content-Transfer-Encoding: base64 


MITIFLOYJKoZIhvcNAQOcDoIIFH3jCCBROCAQAxggFhMIIBXOIBADBFMEAXC 
ZAJBgGNVBAYTA1VTMR8wHOYDVOOKExZUZXNOIEN1cnReZml3jYXR1cyAyMD 
ExMRAwDg YDVQQDEWdHb2 9KkTENBAgEBMAOGCSqGSIb3DOEBAQUABIIBAEa 
uaX0eVsO0yZ7gz0pJikRO06Jqr64k2dbHBE4SDZL/uErP9FJUlja9%LaJrc5 
S83EZ 7wf 3mODUBaDhGfOVKoPrNTsLmw98fE/O+wcdpI2XKaILOR62xDJR 
emQQOST+EP fMwZmCwgs ImmY 3AxefAgzp8hVgK7SDixGXfa9ux9PMdCS jHP 
IgcAUFHmTigxYd72G108kLCMIXmn3g5RsYUggxooeFNHiFNR28TV5HctG 
i6Ay5++ikKUGrUQyXD+GlwakFToGFmF 3j3FMyZi7+kYV/XO0OBiBP 3kpIgVJ 
43C3+nYtKWh6JXPoEqEsa3 9IGMDEFGq4 /58GEu70amWvW1DA++7kDP 4gwg 
gOuBgkqhkiG9w0BBwEwHOYJYIZIAWUDBAECBBCH5yTOqZ4KYiTTeYdjoyYy 
4sglIDgArSpOcengKnZS4SCjfuQkMxB5wfSaud1th1Z+guFCgzbFtkfYM 
Qx/T7gnkneniy j2rwOmZxCQOXpP 1CDXH6mS 8 3ngfrNN8ay3HrMPpVkEOmW 
UMc53160NObwqi8aB3ezzhYRxF063]zdD2R/6SAPALZ304NU8eX+PnuekgR 
oxo/INzZzhT4iGvokn9xVah6piSbjhPA+O0Zp1HgOr1WyyM31693n4thchKl 
FOgqZEy/EBaCWq+sJG7LLxqS5k29CiAVx0JSItgAPvX1ZvLMY2aq//MQMw 
OVFEx7Kt5aWNvKHTor 9RUuuzwiZ5kwXt2vJt 6bFiV7yS+EXofpFEmqyJP 
VIzyAFIXIRTV4k007n0M1UpXOpG jywECI 6DbIhfBL8CsNskTCjrsfU+Tw 
RRkRKAbt JYughs 9bDYkDu9UsSKd/AE4zXk4prwo8/flchpmzpHKOXiWzt+ 
xaC3j64814r03jd19s4JP8JOqwVKoLEMGeiZl1f2UlaiyMzZYzTOxI03PHp1 
Whk 6TXhnmMVPWGY j jel vE38gq/XynobbORGEJdnnHzH7SrS27FmgRcnBoO 
3QQUPIChVn7iBHmdui++GAxpHoGdsS 6nSo4kQ6d5u5rL/Ctcnwu0k+s0Xi 
Z2MzOqp7L31x11jvYUWIswLOYsIFoiejU3UTKzq/Cpd5MK+I8cwCM3aQ2c 
DO8URTPgu+U92pnYqm3aupt ywy3jGAU/hkZ13XN7YRhLk/kuX80Xo3tZdj 
dKA4f£/uNf1DURpJIK9004uCkxuAtu5HemMv7 YPTTx9Ua2pZFW50+k2Mf2Z 
F/geO0vtNw/UV8wOT1nokXu91n1Z9Xcs1cGGMRYE73W15F07uGnMils2Gt 
LAST7t/P1INZUGhOrVExErVa7T+VNidrgwGIke0YqYIwvTINRs+9VeJE3 
AJeatD10s+01jrqqFWWmGmmsEBTTRuoDQHK7YBFFy4xIwOqZGWOEVre39 
OU5CL5LHIYiAVoV16YwiGd5WvFF8P1ZJK4ki8GFgYiMcPKmjOgP7DumgG 
n7eQ0tMD5tezTO0eCO7ntV3bi5pdznZHVcF2Kgqg+gqH3JO01hUdK7Pew3kq7k 
mfCdQVOBmOSYy jEAaTi jaw4 fAMxAbiw40U0eENeU//zcpp04AuTFfJorig 
oZ+iCTYei8HMUA9/ysLFXA64wdsuC j0zXmNiYwosisuNg3TXfoBOzohKq 
fkeXt 


4. IANA Considerations 


IANA has registered the media type application/cms in the Standards 
tree using the applications provided in Section 2 of this document. 
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TANA has established two subtype registries called "CMS Encapsulating 


Content Types" 


and "CMS Inner Content Types". 
registries are allocated by Expert Review [RFC5226]. 
determine whether the content is an ECT or an ICT, 


Entries in these 
The Expert will 
where the rule is 


that an ICT does not encapsulate another content type while an ECT 
does encapsulate another content type. 


Initial values are as follows: 


CMS Encapsulating Content Types 


authData 
compressedData 
contentCollection 
contentiInfo 
contentWithAttrs 
authEnvelopedData 
encryptedKeyPkg 
digestData 
encryptedData 
envelopedData 
signedData 


I 
| [RFC5652] 
| [RFC3274] 
eee 
[RFC5652] 
| [RFC4073] 
| [RFC5083] 
| [RFC6032] 
| [RFC5652] 
a 
RFC5652] 
| [RFC5652] 


CMS Inner Content Types 


firmwarePackage 


firmwareLoadReceipt 


firmwareLoadError 
aKeyPackage 
sKeyPackage 
trustAnchorList 
TAMP-statusQuery 


TAMP-statusResponse 


TAMP-update 
TAMP-updateConfirm 
TAMP-apexUpdate 


TAMP-apexUpdateConfirm 
TAMP-communityUpdate 
TAMP-communityUpdateConfirm 


TAMP-seqNumAdjust 


TAMP-seqNumAdjustConfirm 


TAMP-error 
keyPackageReceipt 
keyPackageError 


et al. 


| 
+ 
| [RFC4108] 
| [RFC4108] 
| [RFC4108] 
| [RFC5958] 
ee 
[RFC5914] 
| [RFC5934] 
| [RFC5934] 
| [RFC5934] 
| [RFC5934] 
poe 
[RFC5934] 
| [RFC5934] 
| [RFC5934] 
| [RFC5934] 
| [RFC5934] 
[RFC5934] 
eee 
| [RFC7191] 


Informational 


Uf —Á 


Object Identifier 


.113549. 
.113549. 
.113549. 
.113549. 
.113549. 
; 113549: 
6.840.1.101. 
.840.113549. 
.840.113549. 
.840.113549. 
.840.113549. 


RREPRANARARR Ep 
NNNNFNNNNNND 
œ 
A 
o 
RREPRANDNARARR Ep 


Object Identifier 


1.2.840.113549.1. 
1.2.840.113549.1. 
1.2.840.113549.1. 
2.16.840.1.101.2. 
1.2.840.113549.1. 
1.2.840.113549.1. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 
2.16.840.1.101.2. 


WO NW O O HP O O O O 10 10 


RREARARARARARAR RARA Ao 


NNNNNNNNNN DNDN LDH 


PRPPRPOrRPPRPPHPEHPE 
N 
w 


J 
J 
NDWOFPRrFPAOATAYD UB 0N 
ho 
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5. Security Considerations 


See the answer to the Security Considerations template questions in 
Section 2. 
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